Change the FQDN of the RPort server

Learn how to use your own name instead of the random * hostname

Create your DNS record

If you want to change the FQDN of a RPort server installed via the cloud-installer the first step is to create a DNS A Record that points to the IP address of your virtual machine.

🧨 Do not use a CNAME record pointing to the * FQDN. Always use an A-record.

The free DNS service of RPort will delete unused hostnames automatically, and your CNAME-record would become orphaned.

We will use as an example for the new hostname of your RPort server.

Login to the console of your rport-server using SSH and verify the new DNS record has been set up properly. Execute the following two commands. Both must print the same IP address – the IP address of your RPort server.

# Query the DNS
$ dig +short

# Fetch your external IP address
$ wget -qO - ''

Generate new SSL certificates

If you already have certificates for the new FQDN, you can skip this step.

Stop the RPort server first. To generate new free certificates via Let's Encrypt, execute the following commands.

systemctl stop rportd
# Generate
certbot certonly -d $FQDN -n \
  --agree-tos --standalone \
# Change group ownerships so rport can read the files
chgrp rport /etc/letsencrypt/archive/
chmod g+rx /etc/letsencrypt/archive/
chgrp rport /etc/letsencrypt/live/
chmod g+rx /etc/letsencrypt/live/
chgrp rport /etc/letsencrypt/archive/$FQDN/
chmod g+rx /etc/letsencrypt/archive/$FQDN/
chgrp rport /etc/letsencrypt/archive/$FQDN/privkey1.pem
chmod g+rx /etc/letsencrypt/archive/$FQDN/privkey1.pem
chgrp rport /etc/letsencrypt/live/$FQDN/
ls -l /etc/letsencrypt/live/$FQDN/

Change the rportd configuration

Change the ssl key and cert

With the new certificates generated, or with your own certificates, open the configuration file /etc/rport/rportd.conf with an editor. Scroll down to the lines where certificates are configured. Certificates are registered twice. In the [server] and [api] section. Change it as shown.

Before (with random * FQDN)

# in the [server] section
tunnel_proxy_cert_file = "/etc/letsencrypt/live/"
tunnel_proxy_key_file = "/etc/letsencrypt/live/" 
# in the [api] section
cert_file = "/etc/letsencrypt/live/"
key_file = "/etc/letsencrypt/live/"

After (example with your FQDN)

# in the [server] section
tunnel_proxy_cert_file = "/etc/letsencrypt/live/"
tunnel_proxy_key_file = "/etc/letsencrypt/live/" 
# in the [api] section
cert_file = "/etc/letsencrypt/live/"
key_file = "/etc/letsencrypt/live/"

Change the client connect url

The rportd.conf file contains a setting url =, that indicates clients who is their server. You must change this setting to the new hostname. If the client url contains a hostname, you must change it. If it contains an IP address, no changes are needed.

Before (with random * FQDN)

url = ""

After (example with your FQDN)

url = ""

If you client url consist of a hostname you must change this hostname on all clients too in the rport.conf client configuration file.

Change the tunnel host

If your rport server runs behind a reverse proxy, can be your own or a service like CloudFlare, pay attention to the tunnel_host setting. Usually, you must specify an alternative hostname that points directly to your rport server, bypassing all reverse proxies.

Change the server URL for sending two-factor tokens via email

If your RPort server is using the default script to send two-factor tokens via email, you must enter the new URL of your server in /usr/local/bin/ too.

Open the script with an editor and enter the URL of your RPort server.


-F url=https://* 2>&1)

After (example with your FQDN):

-F url= 2>&1)

Wildcards are not supported for custom domain names.

Chang the Totp name

Also consider changing the totp_account_name. When using TOTP as the second login factor, this field is filled. If you chose the FQDN of the server as the value for this field, this value should be changed in line with the new FQDN.

Start RPortd

Finally, start the rport server again with systemctl start rportd. Type in the new https://<NEW_FQDN> into your browser and check. 🎉

Don't be frightened if clienst appear disconnected. Because the rport server has beend stopped for a while it takes some time to reconnect. But trust, they will all reconnect.

Remove unneeded certificates

After rportd is running again and uses the new certificates for the new FQDN, the old certificated should be removed. Otherwise, certbot would try to renew them too, at worst running into DNS resolution errors since the old FQDN doesn't exist any more. A proper clean-up can be achieved by running certbot delete and selecting the old cert via the corresponding number key.

Last updated